Twistlock and thousands of other
attendees will be discussing a variety of open source and cloud native topics
while attending KubeCon + CloudNativeCon EU, May 2-4, 2018 in Copenhagen, Denmark.

From Domino's to Walmart, companies outside of traditional technology sectors are increasingly
staking their future on the ability to deliver software applications faster and
more reliably than their competition. DevOps, agile development, digital
transformation - these buzzed-about terms are the methodologies upon which this
acceleration is built. Underpinning these movements is the rise of continuous
delivery, microservices, and other cloud native technologies.

But there's a risky undercurrent to this focus
on delivering software faster. Put simply, all the attention has gone to
getting applications built and out the door, with very little being put towards
ensuring those applications are secure. In the past two years, there's been a
significant rise in the number of cyberattacks, data breaches, and hacks, and as more companies adopt DevOps practices
and cloud native technologies while maintaining a traditional security
approach,this number is only set to increase.

The
Barrier to Entry for Hackers has been Lowered

Whereas launching a cyberattack once took
significant technical training, resources, and planning, DIY hacking kits are
now traded across the dark web. Anyone willing to spend the money can gain all the necessary tools to
launch a crippling attack against a target of their choice. What's more,while
hackers used to seek ongoing control of a company's systems, or specific
information, they now race down the fastest path to cash. Whether that's
ransomware that locks corporate users out of their own systems or cryptominers
discreetly installed on line of business applications,both are simpler goals to
achieve than ongoing command and control.

It's easy to point fingers at Equifax or Panera - who both went months
before making necessary patches - but in doing so a bigger picture is missed.
The problem is with cybersecurity writ large. he industry has not seen anything
like the full-scale reinvention that IT operations saw with the DevOps
movement. As a result, security teams lack the tools or training to keep up
with their counterparts in development and operations groups.

With this in mind, it's no wonder that 94%
of respondents in a recent survey from analyst firm ESG claimed that
technologies such as containers negatively impacted security. While these technologies can actually more secure than the legacy
platforms they replace, the traditional approach to security fails entirely
when applied in this new world.

It's time for something to change in the way
cybersecurity has been practiced. The remainder of this article lays out five
principles for cybersecurity in this era of containers, continuous integration
and DevOps. By adopting these principles and choosing tools and processes to
complement them, companies can not only empower their security teams to keep up
with developers, but they can actually begin to deliver more secure software
than ever before possible. Let's take a look at those five pillars:

Implement
Continuous Security and Increase Visibility

"Shift left" is a very buzzy term these days in
security. he concept that by integrating security controls earlier into the
application delivery pipeline, an organization can improve it's overall
security posture. In itself, that's a powerful recommendation. By addressing
vulnerabilities before applications are ever shipped, organizations can
significantly reduce risk. But, this concept alone is not sufficient.

The challenge presented in breaches like Equifax
is the gulf between security teams who identify a new vulnerability or risk in
running applications, and the development teams responsible for remediation. To
close this gap, developers need visibility into the risk posture of their
applications even after those applications are deployed in production. If a new
CVE is identified in a production application, that information needs to
quickly (and ideally automatically) shared with developers along with an
assessment of the potential risks. By surfacing this information directly to
developers, they're able to prioritize security work in line with other
business needs and address risks sooner after they arise.

Automate
Policy Creation & Enforcement

Developers have tools like Jenkins to
automatically build and ship their code. Operations teams leverage Ansible or
Puppet to automatically scale out their infrastructure. Yet, security teams are
left manually configuring firewall rules and writing application-specific
security policy. In a world of continuous deployment, this manual effort simply
isn't possible. As a result, many teams shift towards more permissive security
policies, increasing their exposure simply to keep up with the speed of
software.

In order to address this, security teams must
adopt tools that automatically profile applications to create policy, then
automatically enforce those policies. This shifts the responsibility of
security teams away from being creators of security models, and into a
review/approve mindset that better enables them to keep pace with their
development counterparts.

Take a
Whitelist-First Approach

With the threat landscape shifting by the minute
and the number of risks growing exponentially, traditional blacklist based
approaches aren't sufficient for strong security. Modern cybersecurity must use
tools like machine learning to automatically profile applications and create
models based on expected good behavior -- shifting the security posture from
"prevent every known bad action" to "allow only known good actions." This not
only provides stronger overall security, but short-circuits the game of
catch-up with the bad guys security teams have historically engaged in

Developers
Can Help Ensure Applications are "Secure by Design"

Applications are typically developed against a
set of business requirements and a set of operational requirements. But it's
equally as important for developers to build towards security needs -
understanding not just how an application handles data, but also how to code in
a way that reduces risk vectors and. This often involves security teams
working directly with development groups to set requirements for each feature.
In teams without dedicated security-focused developers, this can be a rotating
role,where a member of the team takes ownership of all security features for
each sprint or release. This approach helps teams quickly uplevel their overall
security knowledge and ensures that building to security requirements is always
top of mind.

Defense in
Depth

Traditional security tools focused on a single
element of the application delivery lifecycle, or a single layer of the stack.
You had your network firewall, your application firewall, your active threat
protection, your vulnerability management, your source code analysis, and then
spent as many cycles integrating them all as you did gaining value from them.
Moreover, these tools couldn't learn from each other. What this means for many
organizations is that during an attack, they get alerts on individual steps in
the attack, but are left to correlate different anomalies together to form a
comprehensive picture of the incident and best understand the impact. This
approach doesn't scale.

Cloud Native Makes All This Possible

We're proud to work with innovative
organizations committed to leveraging containers and cloud native technology
throughout their business units. We're proud to be a trusted partner working
with talented teams to scale security in ways never thought possible.

##

About the Author

Josh Thorngren is Twistlock's VP of Marketing, where he
oversees product messaging and marketing activities. Prior to Twistlock, Josh
worked at Puppet, streamlining and scaling the marketing practice there. Josh
began his career managing operations for developers - before the world had a
better way to describe that combination. Since making the transition to the
dark side (marketing), he's spent the past 6 years helping devops-focused
organizations better bring their products to market.